# ================= Stage 1: 构建 Nginx with WAF 模块 ==================
# 使用 Alpine 3.18 基础镜像作为构建阶段
FROM alpine:3.18 AS builder

LABEL maintainer="eric@slant.co"

# 设置版本号
ENV NGINX_VERSION=1.22.0 \
    WAF_VERSION=6.1.9 \
    LIBINJECTION_VERSION=3.10.0 \
    UTHASH_VERSION=2.3.0

# 替换 Alpine 的官方源为阿里云源
#RUN sed -i 's|https://dl-cdn.alpinelinux.org/alpine|https://mirrors.aliyun.com/alpine|g' /etc/apk/repositories && \
#    apk update && \
#    apk upgrade

# 安装构建依赖
RUN apk add --no-cache --virtual .build-deps \
        gcc \
        libc-dev \
        make \
        openssl-dev \
        pcre-dev \
        zlib-dev \
        linux-headers \
        curl \
        gnupg \
        libxslt-dev \
        gd-dev \
        geoip-dev \
        perl-dev \
        flex \
        bison \
        unzip \
        libsodium-dev \
        tar \
        gzip \
        zip

# 创建目录并下载 Nginx 和 WAF 模块
WORKDIR /usr/src

# 下载并解压 Nginx
RUN curl -fSL http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx.tar.gz && \
    tar -zxC /usr/src -f nginx.tar.gz && \
    rm -rf nginx.tar.gz

# 下载并解压 ngx_waf 模块
RUN curl -fSL https://github.com/ADD-SP/ngx_waf/archive/refs/tags/v${WAF_VERSION}.tar.gz -o ngx_http_waf_module.tar.gz && \
    tar -zxC /usr/src -f ngx_http_waf_module.tar.gz && \
    mv /usr/src/ngx_waf-${WAF_VERSION} /usr/src/ngx_http_waf_module && \
    rm -rf ngx_http_waf_module.tar.gz

# 安装 libinjection（用于 WAF）
RUN mkdir -p /usr/src/ngx_http_waf_module/inc && \
    curl -fSL https://github.com/libinjection/libinjection/archive/refs/tags/v${LIBINJECTION_VERSION}.zip -o libinjection.zip && \
    unzip libinjection.zip -d /usr/src/ngx_http_waf_module/inc/ && \
    mv /usr/src/ngx_http_waf_module/inc/libinjection-${LIBINJECTION_VERSION} /usr/src/ngx_http_waf_module/inc/libinjection && \
    rm -rf libinjection.zip

# 安装 uthash（用于 WAF）
RUN mkdir -p /usr/local/src && \
    curl -fSL https://github.com/troydhanson/uthash/archive/refs/tags/v${UTHASH_VERSION}.tar.gz -o uthash.tar.gz && \
    tar -zxC /usr/local/src -f uthash.tar.gz && \
    mv /usr/local/src/uthash-${UTHASH_VERSION} /usr/local/src/uthash && \
    rm -rf uthash.tar.gz

# 编译 WAF 模块
WORKDIR /usr/src/ngx_http_waf_module
ENV LIB_UTHASH=/usr/local/src/uthash
RUN make

# 配置和编译 Nginx
WORKDIR /usr/src/nginx-${NGINX_VERSION}
ENV CONFIG="--prefix=/etc/nginx \
    --sbin-path=/usr/sbin/nginx \
    --modules-path=/usr/lib/nginx/modules \
    --conf-path=/etc/nginx/nginx.conf \
    --error-log-path=/var/log/nginx/error.log \
    --http-log-path=/var/log/nginx/access.log \
    --pid-path=/var/run/nginx.pid \
    --lock-path=/var/run/nginx.lock \
    --http-client-body-temp-path=/var/cache/nginx/client_temp \
    --http-proxy-temp-path=/var/cache/nginx/proxy_temp \
    --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
    --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
    --http-scgi-temp-path=/var/cache/nginx/scgi_temp \
    --user=nginx \
    --group=nginx \
    --with-http_ssl_module \
    --with-http_realip_module \
    --with-http_addition_module \
    --with-http_sub_module \
    --with-http_dav_module \
    --with-http_flv_module \
    --with-http_mp4_module \
    --with-http_gunzip_module \
    --with-http_gzip_static_module \
    --with-http_random_index_module \
    --with-http_secure_link_module \
    --with-http_stub_status_module \
    --with-http_auth_request_module \
    --with-http_xslt_module=dynamic \
    --with-http_image_filter_module=dynamic \
    --with-http_geoip_module=dynamic \
    --with-http_perl_module=dynamic \
    --with-threads \
    --with-stream \
    --with-stream_ssl_module \
    --with-stream_ssl_preread_module \
    --with-stream_realip_module \
    --with-stream_geoip_module=dynamic \
    --with-http_slice_module \
    --with-mail \
    --with-mail_ssl_module \
    --with-compat \
    --with-file-aio \
    --with-http_v2_module \
    --add-module=/usr/src/ngx_http_waf_module"

# 创建用户组和用户
RUN addgroup -S nginx && \
    adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx

# 配置、编译安装 Nginx
RUN ./configure $CONFIG --with-debug && \
    make -j$(getconf _NPROCESSORS_ONLN) && \
    make install && \
    strip /usr/sbin/nginx* && \
    strip /usr/lib/nginx/modules/*.so

# 清理无用文件
RUN rm -rf /etc/nginx/html/* && \
    mkdir -p /etc/nginx/conf.d && \
    mkdir -p /usr/share/nginx/html && \
    cp html/index.html /usr/share/nginx/html/ && \
    cp html/50x.html /usr/share/nginx/html/


# ================ Stage 2: 最终运行时镜像 ==================
FROM alpine:3.18

# 替换 Alpine 的官方源为阿里云源（可选）
#RUN sed -i 's|https://dl-cdn.alpinelinux.org/alpine|https://mirrors.aliyun.com/alpine|g' /etc/apk/repositories


# 更新索引并安装 tzdata
RUN apk update && \
    apk add --no-cache tzdata && \
    cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
    echo "Asia/Shanghai" > /etc/timezone
# 复制构建阶段中的必要文件
COPY --from=builder /usr/sbin/ /usr/sbin/
COPY --from=builder /usr/lib/nginx/ /usr/lib/nginx/
COPY --from=builder /etc/nginx/ /etc/nginx/
COPY --from=builder /usr/share/nginx/html/ /usr/share/nginx/html
# 新增：复制 ngx_waf 的 assets 资源目录
COPY --from=builder /usr/src/ngx_http_waf_module/assets /usr/local/src/ngx_waf/assets

# 创建 nginx 用户和目录
RUN addgroup -S nginx && \
    adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx && \
    mkdir -p /var/log/nginx /var/cache/nginx && \
    ln -sf /dev/stdout /var/log/nginx/access.log && \
    ln -sf /dev/stderr /var/log/nginx/error.log

# 安装运行时依赖
RUN apk add --no-cache \
        libgcc \
        libstdc++ \
        pcre \
        openssl \
        zlib \
        libxslt \
        gd \
        geoip \
        perl \
        libsodium

# 安装 Bash
RUN apk add --no-cache bash bash-doc bash-completion

# 设置默认的shell为Bash
RUN echo "/bin/bash" >> /etc/shells && \
    sed -i 's|/bin/ash$|/bin/bash|' /etc/passwd

# 可选：复制配置文件
COPY nginx.conf /etc/nginx/nginx.conf
COPY default.conf /etc/nginx/conf.d/default.conf

# 开放端口
EXPOSE 80 443

# 设置停止信号
STOPSIGNAL SIGTERM

# 启动命令
CMD ["nginx", "-g", "daemon off;"]